Managed access point protocol

ABSTRACT

Methods, apparatuses and systems facilitating deployment and configuration of managed access points in hierarchical wireless network systems. An embodiment of the invention facilitates deployment and configuration of conventional, substantially autonomous access points operating in connection with a central management node, such as a server or appliance. In another embodiment, the present invention facilitates deployment and configuration of light-weight access points in a hierarchical wireless network system. In one embodiment, the present invention also provides a streamlined encryption key exchange protocol adapted to hierarchical wireless network system architectures.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.10/394,905 filed Mar. 21, 2003 and entitled “Managed Access PointProtocol”.

This application makes reference to the following commonly owned U.S.patent applications and/or patents, which are incorporated herein byreference in their entirety for all purposes:

U.S. patent application Ser. No. 10/155,938 in the name of Patrice R.Calhoun, Robert B. O'Hara, Jr. and Robert J. Friday, entitled “Methodand System for Hierarchical Processing of Protocol Information in aWireless LAN.”

FIELD OF THE INVENTION

The present invention relates to wireless networks and, moreparticularly, to methods, apparatuses and systems facilitating thedeployment and configuration of managed access points in a hierarchicalwireless network system.

BACKGROUND OF THE INVENTION

Market adoption of wireless LAN (WLAN) technology has exploded, as usersfrom a wide range of backgrounds and vertical industries have broughtthis technology into their homes, offices, and increasingly into thepublic air space. This inflection point has highlighted not only thelimitations of earlier-generation systems, but the changing role WLANtechnology now plays in people's work and lifestyles, across the globe.Indeed, WLANs are rapidly changing from convenience networks tobusiness-critical networks. Increasingly users are depending on WLANs toimprove the timeliness and productivity of their communications andapplications, and in doing so, require greater visibility, security,management, and performance from their network.

As enterprises and other entities increasingly rely on wirelessnetworks, monitoring and management of the components implementing thewireless network environments become critical to performance andsecurity. Heretofore, it has not been recognized how importantvisibility into all layers of the network protocol is to optimization ofnetwork manageability and user performance in wireless LANs (WLANs).Unlike centrally-managed cellular wireless systems, known WLAN solutionsuse distributed access points to act as bridges between the wiredinfrastructure and the wireless clients, removing all physical andwireless media access protocol information from the protocol frames thatare passed onto the infrastructure network. This results inuncoordinated handoffs of wireless clients moving between access points.An uncoordinated system of access points makes it difficult to manage alarge number of access points, because there is no point ofcoordination. For example, known prior art wireless network systems suchas conventional 802.11 systems provide the initial handshaking, accessauthentication and access association at a remote node without attentionto overall network loading and signal quality.

This type of distributed architecture creates many problems affectingnetwork management, mobility, and performance. Since each wireless LANaccess point is a separate managed device, distributed architecture ingeneral introduces many new managed elements in the network withoutsufficient attention to their global effects. Since the access pointsact in their own self-interest and are not aware of the actions taken bysurrounding access points, they handle mobility (e.g., handoff actions)as a local event, which significantly increases latency.

U.S. application Ser. No. 10/155,938, identified above, discloses ahierarchical wireless network architecture that optimizes networkmanagement and performance of a relatively autonomously-managed WLAN.According to the system architecture, a central control element managesand controls one more access elements. These light-weight accesselements perform real-time communication functions, such as datatransfer and acknowledgements, while the central control element managesthe connection between the access element and one or more wirelessclient devices.

Configuration of wireless network systems incorporating many managedaccess points can be complicated and time consuming. For example,configuration of the access elements in the hierarchical wirelessnetwork architecture disclosed above can be complicated and/or timeconsuming, especially where large number of access elements aredeployed. Accordingly, a need in the art exists for methods, apparatusesand systems that facilitate the deployment and configuration of managedaccess elements in a hierarchical wireless network system. Embodimentsof the present invention substantially fulfill this need.

SUMMARY OF THE INVENTION

The present invention provides methods, apparatuses and systemsfacilitating deployment and configuration of managed access points inhierarchical wireless network systems. An embodiment of the inventionfacilitates deployment and configuration of conventional, substantiallyautonomous access points operating in connection with a centralmanagement node, such as a server or appliance. In another embodiment,the present invention facilitates deployment and configuration oflight-weight access points in a hierarchical wireless network system. Inone embodiment, the present invention also provides a streamlinedencryption key exchange protocol adapted to hierarchical wirelessnetwork system architectures.

DESCRIPTION OF THE DRAWINGS

FIG. 1 is a functional block diagram illustrating a wireless networksystem according to an embodiment of the present invention.

FIG. 2 is a functional block diagram illustrating a wireless networksystem architecture according to a second embodiment of the presentinvention.

FIG. 3A is a flow chart diagram providing a method directed to theinitialization and configuration of an access element.

FIG. 3B is a flow chart diagram setting forth a method directed to thevalidation of a join response transmitted by a central control element.

FIG. 4 is a flow chart diagram illustrating a method supporting theinitialization and configuration of access elements.

DESCRIPTION OF PREFERRED EMBODIMENT(S)

A. Operating Environment and Exemplary System Architectures

For didactic purposes, an embodiment of the present invention isdescribed as operating in a WLAN environment as disclosed in U.S.application Ser. No. 10/155,938 incorporated by reference herein. Asdiscussed below, however, the present invention can be implemented in avariety of WLAN system architectures.

FIG. 1 illustrates a wireless computer network environment according toan embodiment of the present invention. Referring to FIG. 1, there isshown block diagram of a wireless Local Area Network (LAN) 10 accordingto an embodiment of the invention. A specific embodiment of theinvention includes the following elements: access elements 12-15 forwireless communication with remote client elements 16, 18, 20, 22 andcentral control elements 24, 26 for controlling and managing thewireless connections between the access elements 12-15 and the remoteclient elements. In one embodiment, access elements 12, 14 are directlyconnected to LAN 10 or a virtual local area network (VLAN) forcommunication with central control element 24, while access elements 13,15 are connected to a second LAN segment for communication with centralcontrol element 26. In one embodiment, central control elements 24, 26and access elements 12-15 are all connected to the same VLAN to allowfor layer 2 and layer 3 discovery mechanisms as described more fullybelow.

The access elements 12-15 are coupled via communication means using awireless local area network (WLAN) protocol (e.g., IEEE 802.11a or802.11b, etc.) to the client remote elements 16, 18, 20, 22. The LANsegment 10 connecting the access elements 12, 14 and the central controlelement 24 is typically an Ethernet network, but it could be anythingelse which is appropriate to the environment. In one embodiment, theaccess elements 12, 14 and the central control element 24 tunnel networktraffic associated with corresponding remote client elements 16, 18; 20,22 over the computer network. Central control element 24 is alsooperative to bridge the network traffic between the remote clientelements 16, 18; 20, 22 transmitted through the tunnel withcorresponding access elements 12, 14. Accordingly, remote clientelements 16, 18; 20, 22 may, for example, access resources available onWAN 50 or on global network 54 via router 52.

As described in the above-identified patent application, central controlelement 24 operates to perform link layer management functions, such asauthentication and association on behalf of access elements 12, 14. Forexample, the central control element 24 provides processing todynamically configure a wireless Local Area Network of a systemaccording to the invention while the access elements 12, 14 provide theacknowledgment of communications with the client remote elements 16, 18,20, 22. The central control element 24 may for example process thewireless LAN management messages passed on from the client remoteelements 16, 18; 20, 22 via the access elements 12, 14, such asauthentication requests and authorization requests, whereas the accesselements 12, 14 provide immediate acknowledgment of the communication ofthose messages without conventional processing thereof. Similarly, thecentral control element 24 may for example process physical layerinformation. Still further, the central control element 24 may forexample process information collected at the access elements 12, 14 onchannel characteristic, propagation, and interference or noise. Centralcontrol element 24 may also transmit control messages to the accesselements 12, 14 to change various operational parameters, such asfrequency channel and transmit power. Central control element 26 andassociated access elements 13, 15 operate in a similar or identicalmanner.

As FIG. 1 illustrates, according to another embodiment, central controlelement 24 can communicate with access elements 12, 14 over local areanetwork segment 10. In addition, using a virtual local area network(VLAN) technology and protocols, central control element 24 may alsocommunicate with access element 15 over WAN 50. Suitable VLAN protocolsinclude the IEEE 802.1Q (VLAN tagging) protocol or any other protocolallowing for a logical or virtual link layer connection between thecentral control element and the access elements. According to thisdeployment architecture, wireless traffic associated with remote clientelements 16, 18; 20, 22, according to one embodiment, can be tunneledbetween the central control element 24 and the access elements 12, 14.In another embodiment, access elements 12, 14 can operate to directlybridge network traffic between remote client elements 16, 18; 20, 22 andWAN 50, while tunneling network management messages, such asauthentication and association requests from remote client elements tocentral control element 24 as discussed above. In addition, according toeither embodiment, access elements 12, 14, central control element 24,or both access elements 12, 14 and central control element 24 caninclude layer 2 or layer 3 discovery mechanisms allowing for automaticdiscovery and configuration across WAN 50 of the components (centralcontrol elements and access elements) effecting the wireless networkenvironment. Furthermore, FIG. 2 illustrates an alternative deploymentarchitecture where the access elements 12-15 are connected to theirrespective central control elements 24, 26 via direct access lines 28,30.

B. Light-Weight Access Point Protocol (LWAPP)

The light-weight access point protocol includes functionality directedto initialization and configuration of access elements, as well asfailover support. At start-up, the light-weight access point protocol,according to an embodiment of the present invention, includes three mainphases: discovery, joinder, and configuration. During the discoveryphase, the access element discovers the central control elements towhich it can associate. During the joinder phase, the access element anda selected central control element authenticate one another andestablish cryptographic keys for use in encrypting subsequentcommunications. Lastly, the configuration phase involves theconfiguration of the access element with, for example, operationalparameters and, potentially, new software images. The access elementsand the central control elements can communicate using a variety ofprotocols, such as IEEE 802.3, IEEE 802.2, IP, UDP, TCP, etc.

In one embodiment, beyond the functionality discussed above, the centralcontrol elements include an image of the access element softwareaccessible to the access elements as discussed more fully below. Inaddition, the access elements each include a configuration moduleoperative to perform the initialization and configuration functionalitydescribed herein. The central control elements and the access elementsfurther include symmetric and asymmetric encryption functionality toperform tasks such as validating digital signatures, and encryptingmessages. In addition, the central control elements, in one embodiment,includes a cryptographic key generator for generating cryptographickeys.

In one embodiment, authentications between central control elements andaccess elements are provided by x.509 digital certificates and RSAdigital signatures. Privacy is provided to the key exchange via RSAencryption. The symmetric cryptographic keys, discussed herein, aregenerated (in one embodiment) using a random number generator whichcomprises both hardware and software components. Symmetric encryption isprovided by using the AES encryption algorithm in counter mode(AES-CTR). Integrity protection (also known as data authentication) isprovided using AES-CBC-MAC. A composition of these two algorithms isknown as AES CCM (Counter with CBC MAC). However, a variety ofencryption algorithms can be used. For example, DSA signatures can beused as an alternative to RSA digital signatures. El-Gamal encryptioncan be used as an alternative to RSA encryption. Alternatives to AES-CCMencryption include the combination of AES-CBC and HMAC-SHA1, as well as3DES-CBC and HMAC-SHA1.

For didactic purposes, assume that a network administrator physicallyconnects access element 15 to WAN 50, which implements a VLAN to whichall access elements 12-15 and central control elements 24, 26 areconnected. FIG. 3A sets forth a method, according to an embodiment ofthe present invention, implementing the discovery, joinder andconfiguration phases of LWAPP. FIG. 4 provides a method, implemented bycentral control elements, supporting the LWAPP functionality describedherein.

At startup, access element 15 broadcasts or multicasts discoveryrequests throughout the virtual subnet implemented by the VLAN in anattempt to identify central control elements (102). The discoveryrequest may be a single IP packet or native link layer frame, such as anEthernet frame. As FIG. 3A illustrates, access element 15 waits athreshold period of time for the receipt of discovery responses (104,105) before broadcasting or multicasting additional discovery requests.

As FIG. 4 illustrates, central control elements 24, 26 receive thediscovery requests (202) and transmit discovery responses to accesselement 15 (204). Each discovery response comprises a central controlelement identifier and a load parameter. The central control elementidentifier, in one embodiment, is an arbitrary identifier assigned by anetwork administrator. The load parameter indicates the performance loadassociated with the central control element. For example, the loadparameter, in one embodiment, is the number of access elements under themanagement and control of a given central control element. In oneembodiment, the discovery response also indicates whether the respondingcentral control element is the “master” central control element. Amaster central control element is a central control element exclusivelytasked with the configuration of access elements. In a large networkdeployment, centralization of the configuration functionality at amaster central control element eases management tasks associated withdeploying the wireless network system. For didactic purposes, assumethat a network administrator has configured central control element 24as the master central control element. The master control elementindication may be embedded in the central control element identifier ormay be contained in a separate, reserved field or bit of the discoveryresponse.

As FIG. 3A illustrates, access element 15 waits a threshold period oftime (104, 105) for discovery responses from one or more central controlelements and selects one of the responding central control elementsidentified in the discovery responses (106). The selection of a givencentral control element can be driven by a number of differentconsiderations. In embodiments involving a master central controlelement, for example, access element 15 selects the master centralcontrol element. In other embodiments, access element 15 selects theresponding central control element that reports the smallest load (e.g.,the smallest number of access elements under management). In oneembodiment, selection of responding central control elements follows thefollowing priority: 1) the primary central control element (ifconfigured), 2) the master central control element, and 3) the centralcontrol element reporting the smallest load.

After selection of a central control element, access element 15transmits a join request to the selected central control element (here,master central control element 24 for purposes of illustration). Thejoin request, in one embodiment, includes an access element identifier,a digital certificate and a session identifier. In one embodiment, thejoin request includes other fields, such as the WLAN MAC address,software image version, etc. In one embodiment, access element 15 isconfigured with a default access element identifier, which a networkadministrator can change as appropriate (e.g., “SW Conference Room AP,”etc.). In one embodiment, a network administrator, knowing the LAN MACaddress of access element 15 can access a configuration interface toconfigure a name or other identifier for access element 15 and theninvoke the initialization and configuration processes described herein.The digital certificate includes a name or other identifier, a serialnumber, the LAN and/or WLAN MAC address associated with access element15, a copy of the public key of the access element (used for encryptingmessages and digital signatures), and the digital signature of thecertificate-issuing authority (in one embodiment, the manufacturer ofthe access element) so that central control elements can verify that thedigital certificate is authentic. As FIG. 3A illustrates, access element15 waits for a predetermined period of time for a join response (110).If no join response is received within this period of time, accesselement 15 retransmits the join request (112, 113). After a thresholdnumber of failed attempts, access element 15, in one embodiment,restarts the discovery process to locate other central control elements.In another embodiment, access element 15 attempts to join with anothercentral control element identified during the previous discoveryprocess.

Central control element 24 (in this example) receives the join request(206) and authenticates the digital certificate in the join request(208). In one embodiment, central control element 24, using the publickey of the certificate-issuing authority, validates the digitalcertificate. If the digital certificate is invalid, central controlelement 24 ignores the join request (209). Optionally, central controlelement 24 can issue a notification to a network administrator.Otherwise, central control element 24 generates a secret, sharedcryptographic keys (in one embodiment, an authentication key and anencryption key) that will be used to encrypt and authenticate messagesbetween it and access element 15 (210). Central control element 24 thencomposes a join response and transmits it to access element 15 (212).

The join response, in one embodiment, includes the cryptographic keys(see below), the digital certificate of the central control element,and, optionally, the software image version supported and implemented bycentral control element 24. Similar to the access element, the digitalcertificate associated with the central control element includes a nameor other identifier, a serial number, a MAC address, a copy of thepublic key of the central control element, and the digital signature ofthe certificate-issuing authority (in one embodiment, the manufacturerof the access element) so that access elements can verify that thedigital certificate is authentic. To securely transmit and allow forverification of the symmetric cryptographic keys, central controlelement 24 encrypts the cryptographic keys with the public key of accesselement 15 using an asymmetric encryption algorithm, adds the sessionidentifier to the enciphered cryptographic keys, and digitally signs theresulting string with its private key.

When access element 15 receives the join response, it validates the joinresponse (114) and, assuming the join response is valid, decrypts andinstalls the symmetric cryptographic keys (115). FIG. 3B shows a method,according to one embodiment of the present invention, for validating ajoin response. Access element 15 validates the digital certificateassociated with central control element 24 (152). If the digitalcertificate is valid, access element 15 then verifies the signature ofthe signed key/session ID payload using the public key of the centralcontrol element 24 (154) and validates the session identifier (156).Access element 15 then decrypts the cipher including the cryptographickeys using its private key (115). Transmission of data (e.g.,configuration data, control messages, management messages, etc.) betweenthe access element 15 and central control element 24 can now beencrypted and authenticated using the shared secret cryptographic keys.In one embodiment, the central control elements can generate newcryptographic keys and provide them to the access elements at periodicintervals (e.g., every hour).

In one embodiment, the join request transmitted during the joinder phasecan also be configured to determine the Maximum Transmit Unit (MTU) forthe link between access element 15 and central control element 24. Forexample, in one embodiment employing Ethernet protocols, access element15 transmits a join request spanning 1596 bytes to determine whether thelink layer supports that frame size. This frame size is chosen todetermine whether a wireless packet (typically the size of a standardEthernet frame) can be encapsulated with additional headers andtransmitted without requiring fragmentation of the native frame. Ofcourse, the size of the initial join request is determined by the formatand size of the encapsulating headers. If access element 15 does notreceive a response to the join request, it reduces the size of the joinrequest to 1500 bytes (standard Ethernet) and transmits it again. If noresponse is received after a threshold period of time, access element 15returns to the discovery phase.

As FIG. 3A illustrates, access element 15 begins the configurationphase, in one embodiment, by comparing the image version identifier inthe join response to the image version installed on access element 15(116). If the image version in the join response is later than the imageversion associated with access element 15, access element requests thenew image version from central control element 24 (120). Access element15 receives the new image version, installs it and reboots (122),thereby restarting the initialization process described herein. In oneembodiment, the image request and response are encrypted using theshared symmetric key exchanged during the joinder phase.

Access element 15, assuming it has a current image version (at leastrelative to central control element 24), composes and transmits aconfiguration request to central control element 24 (124). As FIG. 3Aprovides, access element 15, in one embodiment, retries theconfiguration request a threshold number of times, after which itreturns to the discovery phase (126, 127). The configuration request, inone embodiment, includes a set of overriding configuration parametersthat cannot be changed. As discussed above, in one embodiment, theaccess elements include a configuration interface (e.g., a command lineinterface, browser interface, etc.) that allows a network administratorto directly configure an access element. In one embodiment, theconfiguration interface allows a network administrator to configure oneor more operational parameters (such as channel, transmit power,internal v. external antenna, etc.) and flag certain operationalparameters as overriding parameters which a central control element cannot change, except with a new “overriding” parameter value. In anotherembodiment, access element 15 can be configured only through aninterface presented by a central control element.

As FIG. 4 illustrates, central control element 24 receives theconfiguration request (214), and generates the operational parametersfor access element 15 (216), taking into account the overridingparameters identified in the configuration request. Central controlelement 24 then transmits a configuration response including theoperational parameters (218), and registers the access element 15 in adatabase (e.g., a single table, or a relational database), includingidentifying information (e.g., LAN MAC address, WLAN MAC address, accesselement identifier, etc.) and the operational parameters associated withthe access element (220). Access element 15 receives the configurationresponse (126), optionally stores the operational parameters innon-volatile memory, implements the operational parameters (128), andswitches to an access point mode. In one embodiment, access element 15switches to access point mode, using the configuration informationprovided by the central control element, and transmits a messageindicating the start up event to the central control element.

During subsequent start-ups (such as after power cycling, or a forcedreboot), access element 15, now configured with the central controlelement identifier (or link and/or network layer addresses)corresponding to its primary central control element, associates withthat central control element as the primary central control element.After the initial configuration, a network administrator may then accessa configuration interface associated with central control element 24 andfurther configure access element 15. For example, the networkadministrator may specify overriding parameters, or assign a new accesselement identifier. In addition, the network administrator may configurethe access element to associate with an alternative, primary centralcontrol element, such as central control element 26. In one embodiment,the physical deployment of the access elements 12-15 may be such thataccess elements 12, 14 are deployed on a first floor of a building,while access elements 13, 15 are deployed on a second floor or in aseparate physical location. The network administrator may then configureaccess element 15 to associate with central control element 26 tofacilitate management and operation of the wireless network, such ashandoffs of remote client elements between access element 13 and accesselement 15.

The access elements, in one embodiment, during normal access point modeoperation transmit “keep-alive” messages to their respective primarycentral control elements to detect failure events associated with thecentral control elements. Specifically, an access element that does notreceive a response to a keep-alive message after a threshold period oftime and/or after a threshold number of attempts, assumes that itsprimary central control element has failed. During a failover mode, theaffected access elements repeat the discovery, joinder and configurationphases discussed above. During this failover period, the access elementperiodically broadcasts or multicasts discovery requests to its primarycentral control element and re-associates with it when it receives adiscovery response. In one embodiment, assuming a new central controlelement has been installed, the network administrator configures thecentral control element identifier to match that of the failed centralcontrol element, thereby allowing the access element to identify the newcentral control element as its primary controller.

The invention has been explained with reference to specific embodiments.Other embodiments will be evident to those of ordinary skill in the art.As discussed above, FIG. 2 illustrates an alternative deploymentarchitecture where direct access lines connect the central controlelement 24 to the access elements 12, 14. Despite the difference inarchitecture, however, the initialization and configurationfunctionality and processes discussed above are essentially the same. Inaddition, although embodiments of the present invention have beendescribed as operating in 802.11 wireless networks, the presentinvention can be applied other wireless network environmentsimplementing alternative networking protocols. Furthermore, the presentinvention has application to other wireless network environments andimplementations; for example, the division of functionality between theaccess elements and the central control elements can be shifted. Forexample, the access elements can bridge network traffic associated withthe remote client elements directly, while transmitting managementpackets to the central control element. Still further, the light-weightaccess point protocol can be implemented in connection withsubstantially autonomous access points managed by a central managementserver or appliance. It is, therefore, intended that the claims setforth below not be limited to the embodiments described above.

1. A method, comprising: transmitting from a first network device afirst message having a first byte size to a second network device over anetwork; if a response to the first message is not received at the firstnetwork device, transmitting a second message having a second byte sizeto the second network device, wherein the second byte size is less thanthe first byte size; and validating the response to the first or secondmessage transmitted from the second network device.
 2. The method ofclaim 1 further comprising exchanging information between the firstnetwork device and the validated second network device.
 3. The method ofclaim 1 wherein the first byte size is greater than 1500 bytes.
 4. Themethod of claim 1 wherein the first byte size is greater than themaximum size of an Ethernet frame.
 5. The method of claim 1 wherein thesecond byte size is less than or equal to the maximum size of anEthernet frame.
 6. The method of claim 1 wherein the second byte size isequal to 1500 bytes.
 7. The method of claim 1 wherein the second bytesize is less than 1500 bytes.
 8. The method of claim 1 wherein the firstbyte size equals a maximum transmit unit size for a link layer protocolplus a number of bytes corresponding to an encapsulation header, andwherein the second number of bytes is the maximum transmit unit size forthe link layer protocol.
 9. A method comprising transmitting from afirst network device one or more discovery messages to discover one ormore other network devices connected to a network; selecting, at thefirst network device, a second network device from the one or morediscovered network devices; transmitting over the network a firstmessage having a first byte size to the second network device; if aresponse to the first message is not received at the first networkdevice, transmitting a second message having a second byte size to thesecond network device, wherein the second byte size is less than thefirst byte size; and validating the response to the first or secondmessage transmitted from the second network device.
 10. The method ofclaim 9 further comprising exchanging information between the firstnetwork device and the validated second network device.
 11. The methodof claim 9 wherein the first byte size is greater than 1500 bytes. 12.The method of claim 9 wherein the first byte size is greater than themaximum size of an Ethernet frame.
 13. The method of claim 9 wherein thesecond byte size is less than or equal to the maximum size of anEthernet frame.
 14. The method of claim 9 wherein the first byte sizeequals a maximum transmit unit size for a link layer protocol plus anumber of bytes corresponding to an encapsulation header, and whereinthe second number of bytes is the maximum transmit unit size for thelink layer protocol.
 15. The method of claim 9 wherein the transmittingone or more discovery messages comprises broadcasting discovery requestsover the network; and receiving at least one discovery response from oneor more network devices.
 16. The method of claim 9 wherein the first andsecond messages each include a first digital certificate, the firstdigital certificate comprising a first public key; and wherein theresponse includes a second digital certificate, the second digitalcertificate comprising a second public key; the method furthercomprising validating the response using the second public key.
 17. Themethod of claim 16 wherein the response further comprises a cipherincluding at least one cryptographic key, and a session identifier, andwherein the cipher is generated by asymmetric encryption with the firstpublic key, and wherein the cipher and the session identifier aredigitally signed with a private key of the central control element, andwherein validating the response comprises validating the second digitalcertificate; validating the cipher and session identifier with thesecond public key; comparing the session identifier in the join responseto the session identifier in the join request; decrypting the cipherwith a private key; and installing the symmetric encryption key if thesecond digital certificate and the session identifier in the joinresponse are valid.
 18. A wireless network system, comprising aplurality of access elements operative to communicate with one or morecentral control elements; a plurality of central control elements forsupervising the access elements, wherein the central control elementsare each operative to exchange validating information with accesselements, and exchange configuration information with validated accesselements; wherein the access elements are each operative to discover oneor more central control elements, wherein the one or more centralcontrol elements each provide a central control element identifier,select a central control element from the discovered central controlelements, exchange validating information with the selected centralcontrol element by transmitting a first join request having a first bytesize to the selected central control element; if a join response to thefirst join request is not received, transmitting a second join requesthaving a second byte size, wherein the second byte size is less than thefirst byte size; and validating a join response received from theselected control element, exchange configuration information with thevalidated central control element, and establish and maintain, undercontrol of the validated central control element, wireless connectionswith remote client elements.
 19. The wireless network system of claim 18wherein at least one central control element of the plurality of centralcontrol elements is a master central control element; and wherein theaccess elements are operative to select the master control element fromthe discovered central control elements, else, select the centralcontrol element reporting a lowest load parameter.
 20. The wirelessnetwork system of claim 18 wherein the plurality of central controlelements are each operative to generate cryptographic keys, provide atleast one cryptographic key to validated access elements, and whereincommunication of management data between the plurality of accesselements and the plurality of central control elements is encryptedusing the at least one cryptographic key.